Getting the most out of automated IT security management

The National Institute of Standards and Technology is updating guidelines for using the Security Content Automation Protocol (SCAP) for checking and validating security settings on IT systems.

SCAP is a NIST specification for expressing and manipulating security data in standardized ways, including implementing security configuration baselines, verifying patches and known vulnerabilities, continuous monitoring of vulnerabilities and security configuration settings, looking for signs of compromise, and determining the security posture of systems.

Special Publication 800-117, Guide to Adopting and Using the Security Content Automation Protocol Version 1.2, is being revised to provide an overview of its use as well as guidance to vendors for adopting the protocols in their products and services.

Automating security is challenging because of the number and variety of systems being secured, the need to respond quickly to new threats, and the lack of interoperability of security tools. SCAP is an effort to provide a standardized approach to addressing these challenges. It is “a suite of specifications that standardize the format and nomenclature by which software flaw and security configuration information is communicated, both to machines and humans.”

Several organizations created and maintain the SCAP components, including Mitre Corp., the National Security Agency, and the Forum for Incident Response and Security Teams. NIST provides SCAP content such as vulnerability and product enumeration identifiers via the National Vulnerability Database. All database content and the high-level SCAP specification are available free from NIST. Nongovernment organizations also create and make SCAP content available.

The specifications making up SCAP are divided into languages, reporting formats, enumerations, measurement and scoring systems, and integrity protection. The specifications included in the current version are:

Languages:

Extensible Configuration Checklist Description Format (XCCDF) 1.2

Open Vulnerability and Assessment Language (OVAL) 5.10

Open Checklist Interactive Language (OCIL) 2.0

Reporting formats:

Asset Reporting Format (ARF) 1.1

Asset Identification 1.1

Enumerations:

Common Platform Enumeration (CPE) 2.3

Common Configuration Enumeration (CCE) 5

Common Vulnerabilities and Exposures (CVE)

Measurement and scoring systems:

Common Vulnerability Scoring System (CVSS) 1.0

Common Configuration Scoring System (CCSS) 1.0

Integrity protection:

Trust Model for Security Automation Data (TMSAD) 1.0

“Each of the SCAP components offers unique functions and can be used independently, but greater benefits can be achieved by using the components together,” the document says. “SCAP-expressed checklists use a standardized language to express what checks should be performed, which platforms are being discussed, and which security settings and software flaw vulnerabilities should be addressed.”

NIST has established a SCAP product validation program and laboratory accreditation program to ensure that SCAP products conform to requirements. “Given SCAP’s complexity, this formal testing is needed,” NIST says.

In using SCAP, the NIST guidelines recommend that organizations:

Use security configuration checklists that are expressed using SCAP. A SCAP-expressed checklist documents desired security configuration settings, installed patches, and other system security elements using a standardized format.

Take advantage of SCAP to demonstrate compliance with high-level security requirements. SCAP-expressed checklists can map individual system security configuration settings to their corresponding high-level security requirements.

Use standardized SCAP enumerations, identifiers and product names. The common understanding achieved through the use of standardized enumerations makes it easier to use security tools, share information and provide guidance to address security issues.

Use SCAP for security measurement and scoring. SCAP enables quantitative and repeatable measurement and scoring of software flaw vulnerabilities and software security configuration issues across systems.

Acquire and use SCAP-validated products.

NIST also encourages software developers and organizations producing security checklists to adopt SCAP, rather than relying on manual checks or proprietary checking mechanisms. The depth of knowledge also makes product vendors particularly helpful in implementing SCAP and checklist developers can contribute applicable lists to NIST’s National Checklist Program to help ensure that they are available to the broadest possible audience.